While network intrusion detection is not dead, it is certainly pushed beyond current limitations by contemporary exploit techniques. One area that has highlighted IDS shortcomings is the lack of state machines that track exploit communications that cross multiple streams. Simultaneously, this difficulty created an opportunity in the SIEM world where a core feature expected by SIEM users is the ability to alert on sequences of events regardless of the underlying data or how it is delivered. This talk will present an exploit-driven argument for the need in the intrusion detection community to implement cross-stream state machine capabilities within IDS signature languages. For example, the “flowbits” keyword in Snort’s language can build a state machine out of a set of rules as it watches for malicious traffic, but such rules linked by flowbits criteria can only apply within a single TCP connection. This is quite limiting. Imagine a generalized “flowbits” keyword (call it “xbits”) that can set a bit on a UDP flow and then test it within a seemingly unrelated TCP connection. This talk will use Metasploit modules that require multiple independent connections for successful exploitation to illustrate why a new “xbits” keyword is needed within Snort and Suricata.